Modern computer networking threats are very sophisticated as their behaviors are becoming more dynamic and stealthy in nature. It is fair to say that each threat is a macro behavior which comprises of a chain of micro behaviors. For instance, data exfiltration is a macro behavior which could comprise various stages (micro behaviors) (e.g., secure shell (“ssh”) brute force, and secure copy (“scp”) data exfiltration, etc.). Such threats, if successful, are very hard to detect as various stages (behaviors) of their attack kill chain typically occur very slowly and in low volume. Moreover, defense mechanisms are not comprehensively unified to deconstruct various stages of the attack kill chain. With the fast-growing variations of these threats (e.g., advanced persistent threats), the complexity of the problem of deconstructing their kill chain very quickly becomes an ever-increasing challenge. Hence, the next generation of network security solutions needs to analyze enormous numbers of events over extended periods of time to better learn the attack behaviors. Additionally, defenders should be able to mimic various stages of attacks' kill chain, where these stages could be represented by newly defined behavioral models (e.g., behavioral analytics). Such behavioral models need to be very rich and easy to express.
Continuously and blindly capturing huge volumes of raw data over very long periods of time to learn attackers' behaviors is very expensive in terms of CPU cycles, memory, and power consumption. Moreover, current data planes are still mostly verbalized by static-function packet processing hardware.